Acknowledgement to our students

We want to thank the following students for the great contributions to this project: Karsten Meyer zu Selhausen, Nico Beckenkamp, Simon Rohlmann, Christian Pressler, and David Dankelmann.

Without your support our research would not be possible. We learned a lot from all of you and enjoyed the joined work.

We want also to thank David Herring for proof-reading our papers and improving our writing skills. It was a pleasure to work with you.

Best regards

Jörg Schwenk, Jens Müller, Simon Rohlmann, Christian Mainka, Vladislav Mladenov, and Martin Grothe

Name Topic Thesis
Karsten Meyer zu Selhausen Security of PDF Signatures thesis (EN)
Simon Rohlmann Sicherheitsanalyse und Evaluierung von signierten PDF Dokumenten thesis (DE)
Christian Pressler Evaluierung der Sicherheit von JavaScript in PDFs an dem Beispiel von Adobe Acrobat Reader DC thesis (DE)
Nico Beckenkamp Fiddling with PKCS#7 Signatures on the Example of PDF coming soon ...
David Dankelmann Systematic Security Analysis of Signed PDF Documents coming soon ...

Responsible Disclosure

We would like to thank the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.

Furthermore, we would like to thank the Adobe security team for the professional, positive, and constructive communication during the entire responsible disclosure period.

Misc

Florian Zumbiehl

We would like to acknowledge Florian Zumbiehl who found an interesting attack related to pdf signatures in PDF viewer back in 2010.

DocuSign researcher

We want to acknowledge the research of John Heasman and his team @ DocuSign for finding one variant of the Signature Wrapping attack independently of our research. They tested and reported their attack against the following products:

ecsec GmbH and A-SIT

We also want to acknowledge the great contribution of Detlef Hühnlein (ecsec GmbH) and Herbert Leitold (A-SIT) for giving us a lot of information regarding the usage of PDF signatures in the wild and explaining us the legal aspects of digitally signed documents.

Other

We also thank Good Free Photos for making photos available we used to design the PDFex logo.

We would like to thank all security researchers working on PDF security for the great contributions.

We also would like to thank the software vendors who responsibly reacted to our findings and fixed the security issues.